Collectivism to help cybersecurity vendors of all colors

What happens when cybersecurity vendors get their heads together? Open data sharing for cybersec pros.
15 August 2022

Look what we can do when we work together. “2015 Sample Return Robot Challenge (201506100020HQ) (explored)” by NASA HQ PHOTO is licensed under CC BY-NC-ND 2.0.

There has long been a tacit agreement among cybersecurity vendor that despite the marketing bluster of some vendors, there is no single cybersecurity provider that can cover all the bases, all the time, and keep everyone safe. A decent level of protection is achieved, in most cases, by a mixed bag of tools, some home grown, others from multiple providers, with an emphasis placed on the word “multiple.”

That need for collectivism to protect organizations has resulted in the announcement at last week’s Black Hat cybersec event in Las Vegas, to launch a new open-source project that standardizes and normalizes data from any source signing up to use a standard taxonomy.

The OCSF project (Open Cybersecurity Schema Framework) has 17 initial signatories, including founders AWS and Splunk. Others include Cloudflare, CrowdStrike, DTEX, IBM Security, IronNet, JupiterOne, Okta, Palo Alto Networks, Rapid7, Securonix, Sumo Logic, Tanium, Trend Micro, and Zscaler.

By using a standardized method of presenting and ingesting security data, every participating company loses its overhead caused by normalizing other organizations’ intelligence. According to a press release, “OCSF adoption will enable security teams to increase focus on analyzing data, identifying threats and defending their organizations from cyberattacks.” In short, everyone can stop wasting time decoding everyone else’s take on how they share data, and build simple mechanisms to parse and act on all data shared by all parties.

In one of the least partisan rent-a-quotes, CEO and founder of JupiterOne Erkang Zheng said, “Normalizing data prior to ingestion has been one of the biggest pain points for security professionals, and the universal framework proposed by the OCSF, powered by a common domain knowledge across several security vendors, simplifies this time-consuming step, ultimately enabling better and stronger security for all.”

The creation of the OCSF project reflects the need to move beyond the “badlist/goodlist”-sharing facility that early antivirus providers developed. In turn, heuristic malware signature detection patterns were also widely shared historically, alongside intelligence as to rootkit distribution and best practices for perimeter protection. But these facilities no longer reflect the full gamut of methods deployed by bad actors. Ironically, there is good evidence to show that malicious code is widely shared among groups and individuals, although usually money changing hands stokes the fires of cozy collectivism, rather than any sense of goodwill towards fellow H4xx0rz.

Submissions to the OCSF is via Git [GitHub], with all contributions such as attribute suggestions or addition of Event Classes needing to be signed with a Developer Certificate of Origin. Unsurprisingly, the Contributions document states “We do not accept anonymous contributors nor those utilizing pseudonyms.”

The OCSF project builds on the Symantec-driven ICD Schema (Integrated Cyber Defense) which gained some traction, but relied on Symantec products, in the main, for data collection. The new framework aims to be completely vendor-agnostic and extensible for every security use-case.